⬆️ gha: Bump the github-actions group across 1 directory with 13 updates

[dependabot]

Bumps the github-actions group with 13 updates in the / directory:

Package	From	To
step-security/harden-runner	2.12.1	2.13.1
actions/checkout	4.2.2	5.0.0
actions/dependency-review-action	4.7.1	4.8.0
reviewdog/action-tflint	1.24.2	1.25.0
reviewdog/action-trivy	1.13.10	1.14.0
reviewdog/action-actionlint	1.65.2	1.67.0
actions/labeler	5.0.0	6.0.1
mikepenz/release-changelog-builder-action	5.3.1	5.4.1
softprops/action-gh-release	2.3.2	2.3.4
ossf/scorecard-action	2.4.2	2.4.3
github/codeql-action	3.29.0	3.30.6
actions/setup-go	5.5.0	6.0.0
aws-actions/configure-aws-credentials	4.2.1	5.1.0

Updates step-security/harden-runner from 2.12.1 to 2.13.1

Release notes

Sourced from step-security/harden-runner's releases.

v2.13.1

What's Changed

• Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.

• Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.

• Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.

Full Changelog: step-security/harden-runner@v2.13.0...v2.13.1

v2.13.0

What's Changed

• Improved job markdown summary
• Https monitoring for all domains (included with the enterprise tier)

Full Changelog: step-security/harden-runner@v2...v2.13.0

v2.12.2

What's Changed

Added HTTPS Monitoring for additional destinations - *.githubusercontent.com Bug fixes:

• Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode
• Increased policy map size for block mode

Full Changelog: step-security/harden-runner@v2...v2.12.2

Commits

• f4a75cf Merge pull request #588 from step-security/rc-26
• 95503d0 ci: remove code-review workflow
• 4b250a0 ci: add job to confirm dist is as expected
• 5b0ab6a update dependencies
• d11f2c1 fix bug where status code was not being preserved
• b3fc98e improve error handling for policy store sceanrio
• 92fc5d4 update error message
• b61b0a4 policy store improvements
• e3d3f2b use GitHub release instead of packages
• 646ac01 update agent
• Additional commits viewable in compare view

Updates actions/checkout from 4.2.2 to 5.0.0

Release notes

Sourced from actions/checkout's releases.

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236
• Prepare release v4.3.0 by @​salmanmkc in actions/checkout#2237

New Contributors

• @​motss made their first contribution in actions/checkout#1971
• @​mouismail made their first contribution in actions/checkout#1977
• @​benwells made their first contribution in actions/checkout#2043
• @​nebuk89 made their first contribution in actions/checkout#2194
• @​salmanmkc made their first contribution in actions/checkout#2236

Full Changelog: actions/checkout@v4...v4.3.0

Changelog

Sourced from actions/checkout's changelog.

Changelog

V5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

V4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

v4.1.5

• Update NPM dependencies by @​cory-miller in actions/checkout#1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in actions/checkout#1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in actions/checkout#1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in actions/checkout#1695
• README: Suggest user.email to be 41898282+github-actions[bot]@users.noreply.github.com by @​cory-miller in actions/checkout#1707

v4.1.4

• Disable extensions.worktreeConfig when disabling sparse-checkout by @​jww3 in actions/checkout#1692
• Add dependabot config by @​cory-miller in actions/checkout#1688
• Bump the minor-actions-dependencies group with 2 updates by @​dependabot in actions/checkout#1693
• Bump word-wrap from 1.2.3 to 1.2.5 by @​dependabot in actions/checkout#1643

v4.1.3

... (truncated)

Commits

• 08c6903 Prepare v5.0.0 release (#2238)
• 9f26565 Update actions checkout to use node 24 (#2226)
• 08eba0b Prepare release v4.3.0 (#2237)
• 631c7dc Update package dependencies (#2236)
• 8edcb1b Update CODEOWNERS for actions (#2224)
• 09d2aca Update README.md (#2194)
• 85e6279 Adjust positioning of user email note and permissions heading (#2044)
• 009b9ae Documentation update - add recommended permissions to Readme (#2043)
• cbb7224 Update README.md (#1977)
• 3b9b8c8 docs: update README.md (#1971)
• See full diff in compare view

Updates actions/dependency-review-action from 4.7.1 to 4.8.0

Release notes

Sourced from actions/dependency-review-action's releases.

v4.8.0

What's Changed

• Make Ruby Code Scannable by @​ljones140 in actions/dependency-review-action#978
• Batch some contributions for release by @​brrygrdn in actions/dependency-review-action#986
  • Make license lists collapsable by @​jasperkamerling
  • feat: add large summary handling with artifact upload by @​MattMencel

New Contributors

• @​ljones140 made their first contribution in actions/dependency-review-action#978
• @​jasperkamerling made their first contribution in actions/dependency-review-action#986
• @​MattMencel made their first contribution in actions/dependency-review-action#986

Full Changelog: actions/dependency-review-action@v4...v4.8.0

4.7.3

What's Changed

• Add explicit permissions to workflow files by @​AshelyTC in actions/dependency-review-action#966
• Claire153/fix spamming mentioned issue by @​claire153 in actions/dependency-review-action#974

Full Changelog: actions/dependency-review-action@v4...v4.7.3

4.7.2

What's Changed

• Add Missing Languages to CodeQL Advanced Configuration by @​KyFaSt in actions/dependency-review-action#945
• Deprecate deny lists by @​claire153 in actions/dependency-review-action#958
• Address discrepancy between docs and reality by @​ahpook in actions/dependency-review-action#960

New Contributors

• @​KyFaSt made their first contribution in actions/dependency-review-action#945
• @​claire153 made their first contribution in actions/dependency-review-action#958
• @​ahpook made their first contribution in actions/dependency-review-action#960

Full Changelog: actions/dependency-review-action@v4...v4.7.2

Commits

• 56339e5 Merge pull request #988 from actions/brrygrdn/rc-4.8.0
• 1688b74 Bump to a 4.8.0
• 31c9f17 Merge pull request #987 from actions/rc-4.7.4
• eacde78 Update version
• 8151009 Merge pull request #986 from actions/brrygrdn/rc-4.7.4
• b472ec9 Add a quick regression test for the artefact summary
• e0cedc5 feat: add large summary handling with artifact upload
• e3fdf0f This ensures large allow or deny lists don't create huge comments
• 6fad417 Merge pull request #978 from actions/ljones140/make-ruby-code-scannable
• e86e969 Update scripts/scan_pr_lib.rb
• Additional commits viewable in compare view

Updates reviewdog/action-tflint from 1.24.2 to 1.25.0

Release notes

Sourced from reviewdog/action-tflint's releases.

Release v1.25.0

What's Changed

• chore(deps): update reviewdog/action-misspell action to v1.26.2 by @​renovate[bot] in reviewdog/action-tflint#105
• chore(deps): update reviewdog/action-depup action to v1.6.4 by @​renovate[bot] in reviewdog/action-tflint#104
• chore(deps): update reviewdog/action-misspell action to v1.26.3 by @​renovate[bot] in reviewdog/action-tflint#106
• README: Pin GitHub Actions with commit SHA using pinact by @​haya14busa in reviewdog/action-tflint#108
• chore(deps): update reviewdog/reviewdog to 0.21.0 by @​github-actions[bot] in reviewdog/action-tflint#101

Full Changelog: reviewdog/action-tflint@v1.24.2...v1.25.0

Commits

• 54a5e5a chore(deps): update reviewdog/reviewdog to 0.21.0 (#101)
• 92ecd5b README: Pin GitHub Actions with commit SHA using pinact (#108)
• 4e022bb chore(deps): update reviewdog/action-misspell action to v1.26.3 (#106)
• 1848510 chore(deps): update reviewdog/action-depup action to v1.6.4 (#104)
• f1101e4 chore(deps): update reviewdog/action-misspell action to v1.26.2 (#105)
• See full diff in compare view

Updates reviewdog/action-trivy from 1.13.10 to 1.14.0

Release notes

Sourced from reviewdog/action-trivy's releases.

Release v1.14.0

v1.14.0: PR #104 - chore(deps): update reviewdog to 0.21.0

Commits

• a1e6d7d Merge pull request #104 from reviewdog/depup/reviewdog
• 20b6816 chore(deps): update reviewdog to 0.21.0
• a1a479d Merge pull request #94 from reviewdog/renovate/azurerm-4.x
• 7a02290 chore(deps): update terraform azurerm to ~> 4.26.0
• 590ac69 Merge pull request #93 from reviewdog/renovate/aws-5.x
• f895ad5 chore(deps): update terraform aws to ~> 5.94.0
• 5392bcc Merge pull request #92 from reviewdog/renovate/azurerm-4.x
• 0e5f775 chore(deps): update terraform azurerm to ~> 4.25.0
• 90be6ba Merge pull request #91 from reviewdog/renovate/aws-5.x
• 536d9aa chore(deps): update terraform aws to ~> 5.93.0
• Additional commits viewable in compare view

Updates reviewdog/action-actionlint from 1.65.2 to 1.67.0

Release notes

Sourced from reviewdog/action-actionlint's releases.

Release v1.67.0

v1.67.0: PR #172 - chore(deps): update reviewdog to 0.21.0

Release v1.66.1

v1.66.1: PR #171 - bump the patch version

v1.66.0

What's Changed

• chore(deps): update reviewdog/action-depup action to v1.6.4 by @​renovate[bot] in reviewdog/action-actionlint#158
• README: Pin GitHub Actions with commit SHA using pinact by @​haya14busa in reviewdog/action-actionlint#161
• chore(deps): update shogo82148/actions-create-release action to v1.7.7 by @​renovate[bot] in reviewdog/action-actionlint#162
• chore(deps): update shogo82148/actions-create-release action to v1.7.8 by @​renovate[bot] in reviewdog/action-actionlint#164
• chore(deps): update shellcheck to 0.11.0 by @​github-actions[bot] in reviewdog/action-actionlint#166
• chore(deps): update docker/setup-buildx-action action to v3.11.1 by @​renovate[bot] in reviewdog/action-actionlint#165
• chore(deps): update haya14busa/action-bumpr action to v1.11.4 by @​renovate[bot] in reviewdog/action-actionlint#163

Full Changelog: reviewdog/action-actionlint@v1.65.2...v1.66.0

Release v1.65.3

v1.65.3: PR #170 - bump the patch version

Commits

• 95395aa bump v1.67.0
• af47a90 Merge branch 'main' into releases/v1
• 93dc1f9 Merge pull request #172 from reviewdog/depup/reviewdog
• 37d6325 chore(deps): update reviewdog to 0.21.0
• e37e2ca bump v1.66.1
• 421367c Merge branch 'main' into releases/v1
• 93ee9b0 Merge pull request #171 from reviewdog/bump-minor
• 41038bc bump the minor version
• 4a597f8 bump v1.65.3
• 826eac1 Merge branch 'main' into releases/v1
• Additional commits viewable in compare view

Updates actions/labeler from 5.0.0 to 6.0.1

Release notes

Sourced from actions/labeler's releases.

v6.0.1

What's Changed

• Upgrade publish-action from 0.2.2 to 0.4.0 by @​aparnajyothi-y in actions/labeler#901

New Contributors

• @​aparnajyothi-y made their first contribution in actions/labeler#901

Full Changelog: actions/labeler@v6.0.0...v6.0.1

v6.0.0

What's Changed

• Add workflow file for publishing releases to immutable action package by @​jcambass in actions/labeler#802

Breaking Changes

• Upgrade Node.js version to 24 in action and dependencies @​salmanmkc in actions/labeler#891 Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. Release Notes

Dependency Upgrades

• Upgrade eslint-config-prettier from 9.0.0 to 9.1.0 by @​dependabot[bot] in actions/labeler#711
• Upgrade eslint from 8.52.0 to 8.55.0 by @​dependabot[bot] in actions/labeler#720
• Upgrade @​types/jest from 29.5.6 to 29.5.11 by @​dependabot[bot] in actions/labeler#719
• Upgrade @​types/js-yaml from 4.0.8 to 4.0.9 by @​dependabot[bot] in actions/labeler#718
• Upgrade @​typescript-eslint/parser from 6.9.0 to 6.14.0 by @​dependabot[bot] in actions/labeler#717
• Upgrade prettier from 3.0.3 to 3.1.1 by @​dependabot[bot] in actions/labeler#726
• Upgrade eslint from 8.55.0 to 8.56.0 by @​dependabot[bot] in actions/labeler#725
• Upgrade @​typescript-eslint/parser from 6.14.0 to 6.19.0 by @​dependabot[bot] in actions/labeler#745
• Upgrade eslint-plugin-jest from 27.4.3 to 27.6.3 by @​dependabot[bot] in actions/labeler#744
• Upgrade @​typescript-eslint/eslint-plugin from 6.9.0 to 6.20.0 by @​dependabot[bot] in actions/labeler#750
• Upgrade prettier from 3.1.1 to 3.2.5 by @​dependabot[bot] in actions/labeler#752
• Upgrade undici from 5.26.5 to 5.28.3 by @​dependabot[bot] in actions/labeler#757
• Upgrade braces from 3.0.2 to 3.0.3 by @​dependabot[bot] in actions/labeler#789
• Upgrade minimatch from 9.0.3 to 10.0.1 by @​dependabot[bot] in actions/labeler#805
• Upgrade @​actions/core from 1.10.1 to 1.11.1 by @​dependabot[bot] in actions/labeler#811
• Upgrade typescript from 5.4.3 to 5.7.2 by @​dependabot[bot] in actions/labeler#819
• Upgrade @​typescript-eslint/parser from 7.3.1 to 8.17.0 by @​dependabot[bot] in actions/labeler#824
• Upgrade prettier from 3.2.5 to 3.4.2 by @​dependabot[bot] in actions/labeler#825
• Upgrade @​types/jest from 29.5.12 to 29.5.14 by @​dependabot[bot] in actions/labeler#827
• Upgrade eslint-plugin-jest from 27.9.0 to 28.9.0 by @​dependabot[bot] in actions/labeler#832
• Upgrade ts-jest from 29.1.2 to 29.2.5 by @​dependabot[bot] in actions/labeler#831
• Upgrade @​vercel/ncc from 0.38.1 to 0.38.3 by @​dependabot[bot] in actions/labeler#830
• Upgrade typescript from 5.7.2 to 5.7.3 by @​dependabot[bot] in actions/labeler#835
• Upgrade eslint-plugin-jest from 28.9.0 to 28.11.0 by @​dependabot[bot] in actions/labeler#839
• Upgrade undici from 5.28.4 to 5.28.5 by @​dependabot[bot] in actions/labeler#842
• Upgrade @​octokit/request-error from 5.0.1 to 5.1.1 by @​dependabot[bot] in actions/labeler#846

Documentation changes

• Add note regarding pull_request_target to README.md by @​silverwind in actions/labeler#669
• Update readme with additional examples and important note about pull_request_target event by @​IvanZosimov in actions/labeler#721
• Document update - permission section by @​harithavattikuti in actions/labeler#840

... (truncated)

Commits

• 634933e publish-action upgrade to 0.4.0 from 0.2.2 (#901)
• f1a63e8 Update Node.js version to 24 in action and dependencies (#891)
• b0a1180 Bump @​octokit/request-error from 5.0.1 to 5.1.1 (#846)
• 110d441 Update README.md (#871)
• bee50fe Bump undici from 5.28.4 to 5.28.5 (#842)
• 6463cdb Bump eslint-plugin-jest from 28.9.0 to 28.11.0 (#839)
• c209686 Bump typescript from 5.7.2 to 5.7.3 (#835)
• 5184940 Bump @​vercel/ncc from 0.38.1 to 0.38.3 (#830)
• 3629d55 Document update - permission section (#840)
• d24f7f3 Bump ts-jest from 29.1.2 to 29.2.5 (#831)
• Additional commits viewable in compare view

Updates mikepenz/release-changelog-builder-action from 5.3.1 to 5.4.1

Release notes

Sourced from mikepenz/release-changelog-builder-action's releases.

v5.4.1

💬 Other

• Improve CI test run report
  • PR: #1463

📦 Dependencies

• Upgrade dependencies
  • PR: #1462

Contributors:

• @​mikepenz

v5.4.0

🚀 Features

• Add new offlineMode
  • PR: #1460

Contributors:

• @​mikepenz

Commits

• c9dc836 Merge pull request #1465 from mikepenz/develop
• 825abd1 Merge pull request #1463 from mikepenz/ci/impr
• 59e4e52 Merge pull request #1462 from mikepenz/feature/dependency_upgrades
• e1c7bbf - combined run for tests to get a full report
• 981311d - upgrade dependencies globals, and ton of dev dependencies
• e97a713 Merge pull request #1461 from mikepenz/develop
• af5898d Merge pull request #1460 from mikepenz/feature/1459
• 6c979ed - also test the offline variant
• 8357bc6 - make sure we reset env prior to the next test
• 0f359e3 - apply codeQL rule
• Additional commits viewable in compare view

Updates softprops/action-gh-release from 2.3.2 to 2.3.4

Release notes

Sourced from softprops/action-gh-release's releases.

v2.3.4

What's Changed

Bug fixes 🐛

• fix(action): handle 422 already_exists race condition by @​stephenway in softprops/action-gh-release#665

Other Changes 🔄

• chore(deps): bump actions/setup-node from 4.4.0 to 5.0.0 in the github-actions group by @​dependabot[bot] in softprops/action-gh-release#656
• chore(deps): bump @​types/node from 20.19.11 to 20.19.13 in the npm group by @​dependabot[bot] in softprops/action-gh-release#655
• chore(deps): bump vite from 7.0.0 to 7.1.5 by @​dependabot[bot] in softprops/action-gh-release#657
• chore(deps): bump the npm group across 1 directory with 2 updates by @​dependabot[bot] in softprops/action-gh-release#662
• chore(deps): bump the npm group with 3 updates by @​dependabot[bot] in softprops/action-gh-release#666

Full Changelog: softprops/action-gh-release@v2...v2.3.4

v2.3.3

What's Changed

Exciting New Features 🎉

• feat: add input option overwrite_files by @​asfernandes in softprops/action-gh-release#343

Other Changes 🔄

• dependency updates

New Contributors

• @​asfernandes made their first contribution in softprops/action-gh-release#343

Full Changelog: softprops/action-gh-release@v2...v2.3.3

Changelog

Sourced from softprops/action-gh-release's changelog.

2.3.4

What's Changed

Bug fixes 🐛

• fix(action): handle 422 already_exists race condition by @​stephenway in softprops/action-gh-release#665

Other Changes 🔄

• dependency updates

2.3.3

What's Changed

Exciting New Features 🎉

• feat: add input option overwrite_files by @​asfernandes in softprops/action-gh-release#343

Other Changes 🔄

• dependency updates

2.3.2

• fix: revert fs readableWebStream change

2.3.1

Bug fixes 🐛

• fix: fix file closing issue by @​WailGree in softprops/action-gh-release#629

2.3.0

• Migrate from jest to vitest
• Replace mime with mime-types
• Bump to use node 24
• Dependency updates

2.2.2

What's Changed

Bug fixes 🐛

• fix: updating release draft status from true to false by @​galargh in softprops/action-gh-release#316

Other Changes 🔄

... (truncated)

Commits

• 62c96d0 release 2.3.4
• 7dc9b8a fix(action): handle 422 already_exists race condition (#665)
• 0f0e0b9 chore(deps): bump the npm group with 3 updates (#666)
• 97d42c1 chore(deps): bump the npm group across 1 directory with 2 updates (#662)
• 19cd0bc chore(deps): bump vite from 7.0.0 to 7.1.5 (#657)
• 5d1b0b1 chore(deps): bump @​types/node from 20.19.11 to 20.19.13 in the npm group (#655)
• f6021cf chore(deps): bump actions/setup-node in the github-actions group (#656)
• 6cbd405 release 2.3.3
• fbadcc9 update to use actions/checkout@v5
• 4a84006 chore(deps): bump @​types/node from 20.19.10 to 20.19.11 in the npm group (#648)
• Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.4.2 to 2.4.3

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.3

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

• docs: clarify GITHUB_TOKEN permissions needed for private repos by @​pankajtaneja5 in ossf/scorecard-action#1574
• 📖 Fix recommended command to test the image in development by @​deivid-rodriguez in ossf/scorecard-action#1583

Other

• add missing top-level token permissions to workflows by @​timothyklee in ossf/scorecard-action#1566
• setup codeowners for requesting reviews by @​spencerschrock in ossf/scorecard-action#1576
• 🌱 Improve printing options by @​deivid-rodriguez in ossf/scorecard-action#1584

New Contributors

• @​timothyklee made their first contribution in ossf/scorecard-action#1566
• @​pankajtaneja5 made their first contribution in ossf/scorecard-action#1574
• @​deivid-rodriguez made their first contribution in ossf/scorecard-action#1584

Full Changelog: ossf/scorecard-action@v2.4.2...v2.4.3

Commits

• 4eaacf0 bump docker to ghcr v2.4.3 (#1587)
• 42e3a01 🌱 Bump the github-actions group with 3 updates (#1585)
• 88c07ac 🌱 Bump github.com/sigstore/cosign/v2 from 2.5.2 to 2.6.0 (#1579)
• 6c690f2 Bump github.com/ossf/scorecard/v5 from v5.2.1 to v5.3.0 (#1586)
• 92083b5 📖 Fix recommended command to test the image in development (#1583)
• 7975ea6 🌱 Bump the docker-images group across 1 directory with 2 updates (#1...
• 0d1a743 🌱 Bump github.com/spf13/cobra from 1.9.1 to 1.10.1 (#1575)
• 46e6e0c 🌱 Bump the github-actions group with 2 updates (#1580)
• c3f1350 🌱 Improve printing options (#1584)
• 43e475b 🌱 Bump golang.org/x/net from 0.42.0 to 0.44.0 (#1578)
• Additional commits viewable in ...

  Description has been truncated

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Note

Free review on us!

CodeRabbit is offering free reviews until Wed Oct 08 2025 to showcase some of the refinements we've made.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
actions/actions/checkout	08c6903cd8c0fde910a37f88322edcfb5dd907a8	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/dependency-review-action	56339e523c0409420f6c2c9a2f4292bbb3c07dd3	🟢 7.7	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 9 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 6 4 existing vulnerabilities detected
actions/step-security/harden-runner	f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a	🟢 8.7	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 8 out of 8 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 19 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/checkout	08c6903cd8c0fde910a37f88322edcfb5dd907a8	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/checkout	08c6903cd8c0fde910a37f88322edcfb5dd907a8	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/reviewdog/action-actionlint	95395aac8c053577d0bc67eb7b74936c660c6f66	🟢 4.9	Details Check Score Reason Maintained 🟢 10 14 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 1 Found 1/6 approved changesets -- score normalized to 1 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/reviewdog/action-tflint	54a5e5aed57dcfbb4662ec548de876df33d6288d	🟢 5.2	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 8 Found 13/16 approved changesets -- score normalized to 8 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy ⚠️ 0 security policy file not detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/reviewdog/action-trivy	a1e6d7dd5520369c076d7ce639a16442938535d8	🟢 3.3	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review ⚠️ 0 Found 0/3 approved changesets -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 3 7 existing vulnerabilities detected
actions/step-security/harden-runner	f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a	🟢 8.7	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 8 out of 8 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 19 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/labeler	634933edcd8ababfe52f92936142cc22ac488b1b	🟢 5.7	Details Check Score Reason Maintained 🟢 5 6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Vulnerabilities 🟢 7 3 existing vulnerabilities detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST 🟢 7 SAST tool is not run on all commits -- score normalized to 7
actions/step-security/harden-runner	f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a	🟢 8.7	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 8 out of 8 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 19 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/checkout	08c6903cd8c0fde910a37f88322edcfb5dd907a8	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/mikepenz/release-changelog-builder-action	c9dc8369bccbc41e0ac887f8fd674f5925d315f7	🟢 6.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 0/4 approved changesets -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/softprops/action-gh-release	62c96d0c4e8a889135c1f3a25910db8dbe0e85f7	🟢 5.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 2 Found 4/16 approved changesets -- score normalized to 2 Maintained 🟢 10 22 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 10 all dependencies are pinned Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/step-security/harden-runner	f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a	🟢 8.7	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 8 out of 8 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 19 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/checkout	08c6903cd8c0fde910a37f88322edcfb5dd907a8	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/github/codeql-action/upload-sarif	64d10c13136e1c5bce3e5fbde8d4906eeaafc885	Unknown	Unknown
actions/ossf/scorecard-action	4eaacf0543bb3f2c246792bd56e8cdeffafb205a	🟢 9.1	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 17 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 License 🟢 10 license file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 16 contributing companies or organizations
actions/step-security/harden-runner	f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a	🟢 8.7	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 8 out of 8 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 19 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/checkout	08c6903cd8c0fde910a37f88322edcfb5dd907a8	🟢 6.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-go	44694675825211faa026b3c33043df3e48a5fa00	🟢 6	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/aws-actions/configure-aws-credentials	00943011d9042930efac3dcd3a170e4273319bc8	🟢 6.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 6 Found 12/19 approved changesets -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/step-security/harden-runner	f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a	🟢 8.7	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 8 out of 8 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 19 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 0 existing vulnerabilities detected

Scanned Files

• .github/workflows/dependency-review.yml
• .github/workflows/infracost.yml
• .github/workflows/lint.yml
• .github/workflows/pr-label.yml
• .github/workflows/release.yml
• .github/workflows/scorecard.yml
• .github/workflows/test.yml

[github-actions]

💰 Infracost report

Monthly estimate generated

_{This comment will be updated when code changes.}